Techly NewsGet the app

Get the latest tech news

Under the Hood of AFD.sys Part 1: Investigating Undocumented Interfaces


A quick look at how I used WinDbg and NtCreateFile to craft a raw TCP socket via AFD.sys on Windows 11, completely skipping Winsock.

The first reason for talking directly to AFD.sys instead of going through Winsock is to dodge the hooks used by some protection systems - like anti-cheat or anti-malware (though the latter usually rely on NDIS filters in kernel mode). A lot of these protections work by intercepting and modifying calls to functions exported by Ws2_32.lib- usually by injecting their own DLLs or patching stuff directly in process memory. TDI is the “upper edge” of the transport layer in the Windows kernel - an abstraction that, back in the days of NT 3.51, unified communication with various protocols (TCP/IP, NetBIOS, AppleTalk).

Get the Android app

Or read this on Hacker News

Read more on:

Photo of hood

hood

Photo of afd.sys

afd.sys

Related news:

News photo

Tesla's Cybertruck Problem Keeps Getting Worse | With inventory piling up, Tesla has started putting up to $10,000 on the hood of Cybertrucks.

News photo

Looking under the hood at the brain's language system

News photo

How IMAP works under the hood

« Cannibal Modernity: Oswald de Andrade's Manifesto Antropófago (1928)
Intel struggles with key manufacturing process for next PC chip »